ForumsExploitsThe Gentlemen's 90% Payouts & Recent Admin Doxxing: A Correlation?

The Gentlemen's 90% Payouts & Recent Admin Doxxing: A Correlation?

ContainerSec_Aisha 6/21/2026 USER

Just caught the latest KrebsOnSecurity piece regarding the alleged admin behind 'The Gentlemen'. It’s fascinating to see how their aggressive 90% affiliate recruitment model correlates with the recent OPSEC failures leading to this potential doxxing.

We've been tracking their custom payload, GentleKiller, in our honeypots. The rapid growth in victim count suggests that high payout is working to attract talent, but it also invites lower-tier operators who might slip up on infrastructure hygiene. It seems the admin's identity was potentially leaked via loose operational security on their recruitment portals.

For those monitoring for this specific threat, we are detecting a recurring pattern involving a unique process name utilized by their encryptor. You can hunt for this behavior in your environment using the following KQL query:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName =~ "gentlekiller.bin"
| where ProcessCommandLine contains "--encryption"
| project DeviceName, AccountName, FolderPath, ProcessCommandLine

Additionally, be wary of the specific C2 beaconing patterns they use. We've observed them using modified User-Agents to blend in with legitimate traffic.

The question is: Now that the admin is potentially exposed, does the RaaS model hold up? Historically, affiliates scatter once the leadership faces heat, but that 90% cut is a massive incentive to keep operations running. Are you all seeing an increase in 'The Gentlemen' artifacts in your SOCs lately, or is the heat already forcing them to change TTPs?

ZE
ZeroTrust_Hannah6/21/2026

We've definitely seen an uptick in the last two weeks. The 90% cut is attracting 'smash-and-grab' style affiliates who aren't as sophisticated with persistence mechanisms, making detection slightly easier but the volume higher. We created a Sigma rule for the PowerShell stager they use for initial access:

detection:
  selection:
    CommandLine|contains|all:
      - 'Invoke-Expression'
      - 'New-Object'
      - 'System.Net.WebClient'
      - 'gentleloader'
  condition: selection

The doxxing might just push them to rebrand, but the infrastructure usually stays active.

CL
CloudSec_Priya6/21/2026

From a pentester's perspective, their encryption implementation is actually quite buggy. We've had two clients hit recently where the ransom note failed to drop correctly because the GentleKiller process crashed halfway through.

If you find yourself in the middle of an incident, check your Application event logs for this specific crash signature before paying:

Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='.NET Runtime'} | Where-Object {$_.Message -like '*gentlekiller.exe*'}


If the process crashed, you might be able to salvage the unencrypted master file from memory.
VU
Vuln_Hunter_Nina6/22/2026

The OPSEC failure isn't surprising given the rush to onboard affiliates. We've been analyzing the GentleKiller payload's persistence mechanism and found it creates a unique scheduled task that often triggers EDR alerts. If you're hunting, check for tasks with the specific "UpdateGentle" prefix using:

Get-ScheduledTask | Where-Object {$_.TaskName -like "*UpdateGentle*"} | Select-Object TaskName, Author

Has anyone successfully reversed the encryption key generation yet, given the sloppy code?

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/21/2026
Last Active6/22/2026
Replies3
Views116